System and method for secure network mobility

ABSTRACT

A system and method are provided for use in maintaining secure communications between a home network and a mobile client when the client roams outside of the home network to a new location. One method of the present invention includes the steps of: establishing a new IP address for the new client location; sending a registration message identifying the new IP address location; authenticating the registration message; encapsulating and transmitting the registration message to the home server; registering the new IP address as a care-of-address for the client at the home server; confirming the registration of the new IP address with the client; establishing a security association between the home server and the relay server on behalf of the client; performing network address translation between the client&#39;s permanent IP address client and the client&#39;s new IP address; tunneling packets addressed for the client between the home server based and the relay server based on the established security association and the address translation for the client; and decapsulating the packets at the relay server and forwarding the packets to the client.

CLAIM TO BENEFIT OF PROVISIONAL APPLICATION

[0001] This application claims the benefit of U.S. ProvisionalApplication No. 60/247,008 filed Nov. 13, 2000.

FIELD OF INVENTION

[0002] The present invention generally relates to a system and methodfor enhancing computer network mobility. More specifically, the presentinvention relates to a system and method for providing secure, InternetProtocol (IP) mobility.

BACKGROUND OF THE INVENTION

[0003] The current standard for Mobile IP allows a mobile user tomaintain connections as the user roams through the Internet, and allowsmobile users to be reached under the same IP address. Accordingly, thecurrent system for Mobile IP facilitates bi-directional communication,and supports mobile servers (or routers or other network resources).

[0004] Mobile IP is an open Internet standard and is specified mainly inITEF-RFC 2002 which is hereby incorporated by reference. The fundamentalpremise of Mobile IP is that a mobile user can maintain the same networkaddress regardless of where he roams. This ability is fundamentallyimportant and desirable for two reasons: (1) connections can bemaintained while roaming from one network to another and (2)bi-directional communications become possible. Connections can bemaintained for IP-based communications protocols such as User DatagramProtocol (UDP) and Transmission Control Protocol (TCP). For theseprotocols, connections are identified by four parameters, namely sourceand destination IP addresses and source and destination port numbers.Without Mobile IP, roaming requires a change in the mobile user's IPaddress which in turn leads to a loss of all connections establishedunder the previous IP address. Hence, Mobile IP's ability to maintainthe same IP address allows for “seamless” roaming in the sense thatconnections can be maintained while roaming. Another benefit frommaintaining a single IP address is true bi-directional communications.That means, connections can be established with roaming mobile devices(hereafter referred to as a “clients”) as the destination. This abilityis crucial for interactive applications (like MS NetMeeting, CUSeeMe,PowWow, and others). It also paves the way for mobile informationservers. It is important to realize that these benefits apply to all IPbased applications. From the application, and thus the user, theperspective is that of only a single, permanent IP address thatidentifies each client (i.e. laptop, handheld, smart-phone) regardlessof its location.

[0005] Mobile IP works by employing two IP addresses: a permanent IPaddress is visible to applications and the user, while a secondtemporary or care-of address is used to ensure proper routing.Accordingly, when a party is traveling away from their home network,their client establishes a new IP address and this new IP address isforwarded back to their home network as a forwarding address for allmessage traffic addressed to the original, permanent IP address.Accordingly, the mobile user has their packets routed to them as if theywere still connected to their home network terminal. In operation,Mobile IP software arbitrates between the two addresses and hidesmobility from applications and the user.

[0006] In most applications, Mobile IP operates through softwareresident on the mobile user's home network. This software (sometimesreferred to as an “agent”) intercepts packets arriving for departedclients and forwards them to the clients at their care-of addresses. Insome cases, Mobile IP includes the use of Mobile IP software resident onvarious subnets visited by the roaming clients (termed “ForeignAgents”). In many cases, the use of Foreign Agents are not strictlyrequired since its functionality may be subsumed into the clientsthemselves. A client operating without a Foreign Agent is said to be inco-located mode.

[0007] The strength of the Mobile IP protocol clearly is that it enablesseamless roaming and bi-directional communications. From a practicalperspective, however, Mobile IP by itself is inadequate. Mostimportantly, Mobile IP has been designed for an open Internet. Securityhas scarcely been considered in its specification. In practice, a mobileuser's communications must be protected against eavesdropping andtampering.

[0008] In addition to providing no security for its own networks, aspresently configured and practiced, Mobile IP networks do not provideany practical means for securely accessing protected corporate networkswith which it communicates. In particular, the Mobile IP protocol willnot work through such devices as firewalls or VPN gateways which areincreasingly common.

SUMMARY OF THE INVENTION

[0009] According to the present invention there is provided a system andmethod for secure IP mobility which allows roaming users to securelyaccess their home networks.

[0010] An additional advantage of the present invention is the provisionof a system for advanced IP mobility which provides secure Internetcommunications from any location and at any time.

[0011] Another advantage of the present invention is the provision of asystem for advanced IP mobility which provides bi-directionalcommunications.

[0012] Still another advantage of the present invention is the provisionof a system for advanced IP mobility which does not burden the user withrespect to management of network interfaces.

[0013] Additional objects and advantages of the present invention willbe set forth in part in the description which follows, and in part willbe obvious from the description, or may be learned by practice of theinvention. The objects and advantages of the invention may be realizedand attained by means of instrumentalities and combinations,particularly pointed out in the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

[0014] The invention may take physical form in certain parts andarrangements of parts, a preferred embodiment and method of which willbe described in detail in this specification and illustrated in theaccompanying drawings which form a part hereof, and wherein:

[0015]FIG. 1 is a simplified schematic representation illustrating oneexample of a computer network configuration for use with one embodimentof the present invention;

[0016]FIG. 2 is a simplified schematic representation illustratinganother example of a computer network configuration for use with asecond embodiment of the present invention;

[0017]FIG. 3 is a simplified flowchart of a method for providing securenetwork communications in accordance with one embodiment of the presentinvention;

[0018]FIG. 4 illustrates a simplified network arrangement for the securetraversal of firewalls using authenticated HTTP tunneling;

[0019]FIG. 5 is a flow chart of a method for the secure traversal offirewalls in accordance with a preferred embodiment of the presentinvention;

[0020]FIG. 6 illustrates a simplified network arrangement for the securetraversal of firewalls and VPN gateways using a relay or proxy server;

[0021] FIG. illustrates a simplified network arrangement for the securetraversal of firewalls using an IPSec Gateway.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0022] Reference will now be made in detail to the present preferredembodiment of the invention, an example of which is illustrated in theaccompanying drawings in which like reference characters refer tocorresponding elements. Preferably, the system and method of the presentinvention described below, may be implemented by an interactive computersoftware application incorporated within a computer-readable medium suchas a hard disk drive, an optical medium such as a compact disk, or thelike. Further, the computer-readable medium may be available to a usereither locally on the user's computer or remotely over a computernetwork, such as a local area network (LAN) or through the Internet.

[0023] The present invention is designed to provide mobile professionalswith unparalleled networking support and security. This entails thatmobility becomes transparent to users of the present invention.Accordingly, as the user of the present invention roams away from hisoffice and the network provided there, he can continue to communicatewithout interruption and without the need to reconfigure his enableddevice or client (i.e. laptop, handheld, smart-phone). The presentinvention provides a comprehensive solution to protect cryptographicallyinformation exchanged by mobile users as soon as they leave theprotection of their corporate network. Additionally, the presentinvention provides multiple means of gaining access to resources on theprotected corporate network.

[0024] A unique and important feature provided by the present inventionis the ability to maintain the same network (IP) address as on thecorporate network. This makes the present invention the only solution toallow mobile users to receive connections. This ability is crucial ininteractive, peer-to-peer applications (like MS NetMeeting) when themobile user is the recipient of a “call.”

[0025]FIG. 1 illustrates an example network arrangement 10 employing asystem and method of the present invention in accordance with apreferred embodiment of the invention. It should be understood that thepresent invention operates independent of any particular arrangement ormix of network components and that network 10 depicted in FIG. 1 ispurely illustrative and simplified for the purpose of explanation.

[0026] As shown in FIG. 1, exemplary network arrangement 10 is comprisedof a home network 12 which includes a home network server 14 and aclient 16 located within the home network 12. As shown in FIG. 1, whenoperating in its home network 12, the client 16 may be linked directlyto the home server 14 via LAN or similar connection 18. As further shownin FIG. 1, when a client 24 roams outside of its home network 12, theclient 24 may still gain access to its home server 14 via encrypted link26, relay server 22 and encrypted tunnel 20 as described in detail belowwith reference to FIG. 3.

[0027]FIG. 3 shows a block diagram 100 illustrating operation of thepresent invention. At step 100, a roaming client 24 establishes a new IPaddress for its new location outside of its home network 12. At step102, client 24 sends a message identifying and registering its newaddress to a relay server 102 which may include a Foreign Agent forcommunicating with home server 14. At step 103, the relay server 22authenticates the client's 24 message to ensure the identity of theclient 24. At step 104, relay server 22 encapsulates the registrationmessage from the client 24 and transmits the encapsulated message to thehome server 14. At step 105, the home server 14 registers the new IPaddress as a care-of-address for the client 24. At step 106, the homeserver 14 transmits a reply message to the client confirming theregistration of said new IP address. At step 107, the home server 14 andrelay server 22 establish a security association on behalf of saidclient as detailed below. At step 108, the home server 14 beginsperforming network address translation between the client's 24 permanentIP address and the client's 24 new IP address for traffic addressed forthe client 24. At step 109, the home server 14 and relay server 22establish an encrypted tunnel 20 and begin encapsulating and tunnelingpackets addressed for the client 24 from the home server 14 to the relayserver 22 based on the established security association and the addresstranslation for the client 24. At step 110, relay server 22 decapsulatesthe tunneled packets and forwards them to the client via link 26 whichmay be an encrypted.

[0028] With reference to FIG. 2, when a relay server 22 is unavailableor deemed unreliable for security reasons, the client 24 may operate ina co-located mode. In this mode, all the functions performed by therelay server 22 are performed by the client 24 itself. Accordingly, inthe co-located mode illustrated in FIG. 2, the client 24 may communicatedirectly with its home server 14 to register its new IP address (steps102 and 103), encapsulate and transmit its registration (steps 104, 105,and 106), establish a security association and an encrypted tunnel 20with its home server 14 (steps 107, and 109), and decapsulate receivedpackets (step 110). In accordance with the present invention, whenoperating in co-located mode, the client 24 itself must acquire atopologically correct, temporary network address. In accordance with apreferred embodiment of the present invention, the client 24 may usemultiple means to obtain such an address. For instance, the client 24may use PPP (for dial-up connections), DHCP (for LANs without foreignagents), and even manual configuration of a valid care-of address. Aftera care-of address is obtained by the client 24, the operation of thepresent invention is exactly as described above.

[0029] In accordance with a preferred embodiment of the presentinvention, all data sent between the client 24, the home server 14 andthe relay server 22 is preferably encrypted and authenticated using theIPSec ESP protocol. Alternatively, however, a variety of encryptionmethods and algorithms may be used including, for instance, PKI, RSA,DSA, DES, 3DES, and IKE protocols.

[0030] Further, in accordance with a preferred embodiment of the presentinvention, the establishment of secure connections, so called securityassociations, is preferably performed according to the Internet KeyExchange (IKE) protocol. Additionally, the present invention supportsboth shared secrets and digital certificates (distributed via PKI)during the negotiation of security associations. Preferably, PKIconfiguration (e.g., selection of cryptographic algorithm) andadministration (e.g., distribution of shared secrets or certificatemanagement) is performed by the home server 14 the present invention.

[0031] IKE requires two distinct phases in the establishment of securityassociations. The first phase serves two purposes. First, thenegotiating parties authenticate each other and, second, they negotiatean intermediate security association to protect the second phase. Inaccordance with a preferred embodiment of the present invention, PublicKey Infrastructure (PKI) digital certificates are preferably used duringIKE negotiations.

[0032] In cases where a client 24 roams into a network protected by afirewall and/or an IPSec (VPN) Gateway (collectively referred to as“perimeter defense systems”), additional aspects of the presentinvention are required to freely exchange packets between the client 24and its home network server 14. In accordance with a preferredembodiment of the present invention, three different methods for thesecure traversal of a network perimeter defense systems are provided. Inshort, these methods are: (a) traffic encapsulation in an authenticatedHTTP tunnel, (b) authenticated firewall traversal via a surrogate homeagent or proxy server located on the public side of the firewall, and(c) secure, IPSec-based traversal of a VPN Gateway. With reference nowto FIGS. 4-7, each method will now be discussed.

[0033]FIG. 4 is a block diagram of a computer network arrangement 10utilizing a first method for secure traversal of a network perimeterdefense according to the present invention. FIG. 5 shows a flow diagram200 illustrating operation of the present invention. At step 201, theroaming client 24 generates a message in HTTP Request-format. For thepurposes of the present invention, HTTPS Response and Request Formatsare considered one just one type of HTTP Response and Request Formats.

[0034] In accordance with a preferred embodiment of the presentinvention, the HTTP Request-format messages are is preferably encrypted,packetized and encapsulated for tunneling. At step 202, the client 24transmits this message in HTTP Request-format to its home server 14through any intervening firewalls 54, 26 via HTTP link 51.

[0035] In accordance with the present invention, since the HTTPRequest-format traffic from the client 24 appears to the firewall apublic internet traffic, it will successfully traverse this firstfirewall 54 and ultimately arrive at the home network firewall 26. Inaccordance with a preferred embodiment of the present invention, HTTPRequest-format traffic from the client 24 is first authenticated by thehome network firewall 26 using an authentication protocol such as theSOCKS protocol or the like. Alternatively, firewall 26 may be configuredto allow HTTP Request-format traffic to pass with lesser or greaterdegrees of authentication.

[0036] In step 203, once the HTTP Request-format message traffic isforwarded through the network firewall 26, it is processes bymultiplexer subsystem 44 where the message traffic is encapsulated inUDP packets for forwarding to home server 14 via UDP link 45. As shownin FIG. 4, in accordance with a preferred embodiment of the presentinvention, the multiplexer subsystem 44 of the present invention mayinclude an HTTP client server 50 and a multiplexer 46. Additionally, themultiplexer subsystem 44 may further include a Fast CGI module 48 orother components as desired to increase network efficiency and speed.

[0037] Within the multiplexer subsystem 44, as shown in FIG. 4, the HTTPserver 50 preferably receives the message traffic from the home networkfirewall 26 via HTTP link 51. Once received, the HTTP server 50 thenroutes the message traffic for further processing and routing. Inaccordance with a preferred embodiment of the present invention, theHTTP server 50 preferably routes the message traffic to a Fast CGImodule 48 which then forwards the message traffic to multiplexer 46 viaTCP link 47. From the multiplexer 46, the messages are parsed into UDPpackets and forwarded to the home server 14 via UDP link 45.

[0038] At step 204, the home server 14 may respond to the client 24 bygenerating a reply which is encapsulated in UDP packets. At step 205,the encapsulated response is translated into HTTP Response-Format. Asshown in FIG. 4, the encapsulated response may be translated into HTTPResponse-Format via multiplexer subsystem 44 as described above. In step206, the encapsulated response is then forwarded to its intendedrecipient as a HTTP Response-Format message traffic. In accordance witha preferred embodiment of the present invention, each HTTP link 51 mayinclude strong authentication to create secure HTTP tunnels. Preferably,SOCKS protocol authentication or the like is provided within eachfirewall and Secure Socket Layer (SSL) or the like authentication isused within selected web and HTTP servers.

[0039] With reference now to FIG. 6, an alternative firewall transversalmethod is illustrated for use as part of the present invention. As shownin FIG. 6, in accordance with a preferred embodiment of the presentinvention, the HTTP Request-format traffic from the client 24 (shown in“co-located” mode) may be forwarded to home server 14 via a proxy or“relay” server 32. In accordance with the present invention, the relayserver 32 may authenticate registration messages sent by the client 24in the same way the home network 12 would as described above.Accordingly, the relay server 32 may receive registration messages froma client 24 and, if authentication is successful, the relay server 32may encapsulate and forward messages through the firewall 26 to the homenetwork server 14 via link 30. Thereafter, in accordance with thepresent invention, the home network server 14 may process theregistration message and formulate a response which is then encapsulatedand sent to the relay server 32. Accordingly, if the response indicatesa successful registration, the relay server 26 server may begin relayingtunneled packets between the client 24 and home server 24 via encryptedlinks 30 and 34. In accordance with a preferred embodiment of thepresent invention, the relay server 32 itself performs network addresstranslation on packets addressed to and from the client 24. Further inaccordance with a preferred embodiment of the present invention,immediately after registration, the client 24 may initiate an IKEnegotiation to set up a security association with the home network 32.

[0040] With respect to packets transmitted between the proxy server 32and the home server 14, in accordance with a preferred embodiment of thepresent invention, preferably these are encapsulated using standardprotocol type 4 encapsulation (IP-in-IP encapsulation). According to thepresent invention, this allows for very tight filtering at the firewall,using both IP addresses, the protocol number, and possibly even hardwareaddresses. Consequently, the integrity of the firewall is notcompromised even if the relay server were ever compromised. In analternative embodiment, the relay server 32 may be incorporated into thefirewall itself.

[0041] With reference now to FIG. 7, a further alternative embodiment ofthe present invention is provided. As shown in FIG. 7, an IPSec Gateway38 may be incorporated as part of the network arrangement 10 to securethe perimeter of home network 12. As shown, with the use of a IPSecgateway 38 or similar device, the client 24 of the present may establishan IPSec tunnel 40 directly between itself and the IPSec, Gateway 38.The IPSec tunnel 40 is preferably configured to allow the IPSec gateway38 to authenticate packets from the client 24 before allowing them topass to the inside of the network 12 via encrypted link 42.Additionally, in accordance with a preferred embodiment of the presentinvention, the IPSec gateway 38 may be configured to incorporate thesame functions of the relay sever 22 described above.

[0042] According to a preferred embodiment of the present invention, theIPSec gateway 38 may be a VPN gateway or similar device. Further inaccordance with a preferred embodiment of the present invention, IPSecESP or AH protocol may be used for authenticating packets.

[0043] As is readily apparent from the above detailed description, thesystem and method of the present invention may be used in a variety ofnetwork configurations in which network security and mobility aredesirable. The system and method of the invention are also highlyflexible and can be easily modified and customized to fit specificsituations. For instance, the present invention may be used withinnetwork arrangements such as a local area network (LAN), including anEthernet and a Token Ring access methods, a wireless local area network(WLAN), a metropolitan area network (MAN), a virtual local area network(VLAN), a wide area network (WAN), and a Bluetooth network.Additionally, the present invention may work within wireless datanetworks such as GPRS, NTT DoCoMo, Hot Spots, GSM-Data, CDMA-One andHS-CDS networks, and wired public networks such as POTS, DSL, Cable andISDN networks.

[0044] Further, although the preferred embodiments are discussed withoutreference to a particular operating environment, the present inventionmay be used in a variety of server platforms and operating environmentssuch as, for example, Windows NT, Me, XP, 95, 98 and 2000, as well asUnix, OS/2, Pocket PC and NetWare.

[0045] Additionally, the present invention may be used with a variety ofnetworking links and protocols including those based upon, for example,a Network File System (NFS); a Web NFS; a Server Message Block (SMB); aSamba; a Netware Core Protocol (NCP); a Distributed File System (DFS),and a Common Internet File System (CIFS) architecture, as well as usesuch transport protocols as, for example, TCP/IP, IPX/SPX, HTTP, HTTPSand NetBEUI.

[0046] The invention has been described with particular reference topreferred embodiments which are intended to be illustrative rather thanrestrictive. Alternative embodiments will become apparent to thoseskilled in the art to which this invention pertains without departingfrom its spirit and scope. Thus, such variations and modifications ofthe present invention can be effected within the spirit and scope of thefollowing claims.

What is claimed is:
 1. In a computer network arrangement comprising ahome network having at least one home network server and a firewall forprotecting said home network server, a relay server outside of said homenetwork, and a client having a permanent IP address within said homenetwork, a method for maintaining secure communications between the homenetwork server and the client when said client roams outside of saidhome network to a new location, said method comprising: establishing anew IP address for the new client location; sending a registrationmessage to said relay server identifying said new IP address location;authenticating said registration message; encapsulating and transmittingsaid registration message to said home server; registering said new IPaddress as a care-of-address for said client at said home server;confirming the registration of said new IP address with said client;establishing a security association between said home server and saidrelay server on behalf of said client; performing network addresstranslation between the client's permanent IP address and the client'snew IP address; tunneling packets addressed for said client between saidhome server and said relay server based on the established securityassociation and said address translation for said client; anddecapsulating said packets at said relay server and forwarding saidpackets to said client.
 2. The method of claim 1, wherein said homenetwork further comprises a multiplexer subsystem.
 3. The method ofclaim 1, wherein at least a portion of the communications from saidclient to said home server are in HTTP Request-format.
 4. The method ofclaim 3, wherein at least a portion of the communications from said homeserver to said client are in HTTP Response-format.
 5. The method ofclaim 4, wherein at least a portion of the communications from saidclient to said home server are encapsulated in UDP packets.
 6. Themethod of claim 5, wherein at least a portion of the communications fromsaid home server to said client are encapsulated in UDP packets.
 7. Themethod of claim 1, wherein said method further comprises the step of:providing a network gateway, wherein said network gateway operates totunnel packets through said firewall to said home server.
 8. The methodof claim 7, wherein said network gateway is a Virtual Private Networkgateway.
 9. In a computer network arrangement comprising a home networkhaving at least one home network server and a firewall for protectingsaid home network server, a relay server outside of said home network,and a client having a permanent IP address within said home network, amethod for maintaining secure communications between the home networkserver and the client when said client roams outside of said homenetwork to a new location, said method comprising: establishing a new IPaddress for the new client location; sending a registration message tosaid home server identifying said new IP address location; encapsulatingand transmitting said registration message to said home server;registering said new IP address as a care-of-address for said client atsaid home server; confirming the registration of said new IP addresswith said client; establishing a security association between said homeserver and said client; performing network address translation betweenthe client's permanent IP address and the client's new IP address; andtunneling packets addressed for said client between said home server andsaid client based on the established security association and saidaddress translation for said client.
 10. The method of claim 9, whereinsaid home network further comprises a multiplexer subsystem.
 11. Themethod of claim 9, wherein at least a portion of the communications fromsaid client to said home server are in HTTP Request-format.
 12. Themethod of claim 11, wherein at least a portion of the communicationsfrom said home server to said client are in HTTP Response-format. 13.The method of claim 12, wherein at least a portion of the communicationsfrom said client to said home server are encapsulated in UDP packets bysaid multiplexer subsystem.
 14. The method of claim 13, wherein at leasta portion of the communications from said home server to said client areencapsulated in UDP packets by said multiplexer subsystem.
 15. Themethod of claim 9, wherein said method further comprises the step of:providing a network gateway, wherein said network gateway operates totunnel packets through said firewall to said home server.
 16. The methodof claim 15, wherein said network gateway is a Virtual Private Networkgateway.
 17. A system for maintaining secure communications for a clienthaving a permanent IP address within a home network system and atemporary, care-of IP address when roaming outside of said home networksystem, said system comprising: a home network server, wherein said homenetwork server authenticates messages received from clients roamingoutside of said home network system and performs network addresstranslation between the client's permanent IP address client and theclient's registered care-of IP address, further wherein said homenetwork server encapsulates and retransmits messages addressed to saidclient's permanent IP address to the client's registered care-of IPaddress; a relay server, said relay server located outside of said homenetwork, wherein said relay server tunnels messages between said homenetwork server and said client; and a multiplexer subsystem, whereinsaid multiplexer subsystem is comprised of a HTTP server, and amultiplexer module.
 18. A method for communicating between a roamingclient and a home server wherein at least one of either the client orthe home server is protected by a firewall, said method comprising:generating a first message in HTTP Request-format, transmitting saidfirst message in HTTP Request-format through said firewall; processingsaid first message, wherein said first message is encapsulated in UDPpackets and forwarded to its intended recipient; generating a secondmessage in response to said first message, wherein said second messageis encapsulated in UDP packets; translating said second message intoHTTP Response-Format; transmitting said second message to its intendedrecipient.
 19. The method of claim 1, wherein, said method furthercomprises the steps of: generating a first message in HTTPRequest-format, transmitting said first message in HTTP Request-formatthrough said firewall; processing said first message, wherein said firstmessage is encapsulated in UDP packets and forwarded to its intendedrecipient; generating a second message in response to said firstmessage, wherein said second message is encapsulated in UDP packets;translating said second message into HTTP Response-Format; andtransmitting said second message to its intended recipient
 20. Themethod of claim 9, wherein, said method further comprises the steps of:generating a first message in HTTP Request-format, transmitting saidfirst message in HTTP Request-format through said firewall; processingsaid first message, wherein said first message is encapsulated in UDPpackets and forwarded to its intended recipient; generating a secondmessage in response to said first message, wherein said second messageis encapsulated in UDP packets; translating said second message intoHTTP Response-Format; and transmitting said second message to itsintended recipient